a754c8899bf9ffc378d8fe239a58b0154bd9fc7cf8b2f2fdc1b1103885a70c99

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DEMASI-24-12B DOC. SCAN.exe
Size

699KB
MD5

63d2f97a6de92084873293a617e685db
SHA1

423997f0830a1f833d7c1e6b615ac84850b298a1
SHA256

a754c8899bf9ffc378d8fe239a58b0154bd9fc7cf8b2f2fdc1b1103885a70c99
SHA512

2954eb36e39cbfa18c024dae9536d42b4f2eecf16bf3db623e0efc3f1a7ba02f9df4a1831abb4315b03b83c7497278b10f8001ea484cc31da8352f265f214743
SSDEEP

12288:E3cAEjow+kXtp28J4cGUhl+n0kbd6t21Rwm3+9rtQEFoxB50+tNADhZebeEkO/:E3cAEjow+kXf28J4cGeAn0Ttzm3EruEa

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

DEMASI-24-12B DOC. SCAN.exe

pid	Process
1748	DEMASI-24-12B DOC. SCAN.exe
1748	DEMASI-24-12B DOC. SCAN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2240	1748	WerFault.exe	27

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

DEMASI-24-12B DOC. SCAN.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMASI-24-12B DOC. SCAN.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

DEMASI-24-12B DOC. SCAN.exe

description	pid	Process	procid_target
PID 1748 wrote to memory of 2240	1748	DEMASI-24-12B DOC. SCAN.exe	28
PID 1748 wrote to memory of 2240	1748	DEMASI-24-12B DOC. SCAN.exe	28
PID 1748 wrote to memory of 2240	1748	DEMASI-24-12B DOC. SCAN.exe	28
PID 1748 wrote to memory of 2240	1748	DEMASI-24-12B DOC. SCAN.exe	28

C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe
"C:\Users\Admin\AppData\Local\Temp\DEMASI-24-12B DOC. SCAN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 532
  2⤵
  - Program crash
  PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nso8D46.tmp

Filesize
1B

MD5
8ce4b16b22b58894aa86c421e8759df3

SHA1
13fbd79c3d390e5d6585a21e11ff5ec1970cff0c

SHA256
8254c329a92850f6d539dd376f4816ee2764517da5e0235514af433164480d7a

SHA512
2af8a9104b3f64ed640d8c7e298d2d480f03a3610cbc2b33474321ec59024a48592ea8545e41e09d5d1108759df48ede0054f225df39d4f0f312450e0aa9dd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso8D46.tmp

Filesize
39B

MD5
30b38fdaf7aa2c5edee19516cf94ccc8

SHA1
c0b9a65702e427c1ff7cba4ead7567fff222d7ee

SHA256
cf4d212c34fad924ab772ed4ca1f3ca2feba5a25c35d9af1b71217df28041b45

SHA512
c41e107e3d59f6e96fa9a5ca3f49ace8ca8c2c7b46d0b34cdbc519bc8c30b44be3a1dd301988aeab2d936141736b8fde7797fb32901073bb99fd702a0ff087b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso8D46.tmp

Filesize
60B

MD5
94d50858f536d0b073217deb807d181a

SHA1
deaaf25f8ec263928644fceb69dcb199a06cf8e7

SHA256
2e191ac2589e939929565cf8bd27d1caa964a008e0e3601d3aa868232881439d

SHA512
f7ff9d549378b002cb9abe8c2cc826d3df1ff15f66bcf06ef0c0c55ecf70560e0c0b7951cefd8c94a7687fd38ca8b6c19668074772f1aac5e8a42bebbd6c2534

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso8D95.tmp

Filesize
2B

MD5
25bc6654798eb508fa0b6343212a74fe

SHA1
15d5e1d3b948fd5986aaff7d9419b5e52c75fc93

SHA256
8e5202705183bd3a20a29e224499b0f77a8273ee33cd93cca71043c57ad4bdfc

SHA512
5868c6241ed3cfcc5c34bfe42e4b9f5c69e74975e524771d8c9f35cafc13fd01cd943ec4d8caefee79a1f4a457e69d20b7a86f88db83a5bc3e6bd8a619972898

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso8D95.tmp

Filesize
4B

MD5
cde63b34c142af0a38cbe83791c964f8

SHA1
ece2b194b486118b40ad12c1f0e9425dd0672424

SHA256
65e2d70166c9a802b7ad2a87129b8945f083e5f268878790a9d1f1c03f47938d

SHA512
0559d3d34ad64ccc27e685431c24fc6ead0f645db14fa0e125a64fb67dbd158c15432c1fc5407811aac8a3486090dfbcfcbc3c6bf5aa0ec73f979ef62d14853c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso8D95.tmp

Filesize
7B

MD5
67cfa7364c4cf265b047d87ff2e673ae

SHA1
56e27889277981a9b63fcf5b218744a125bbc2fa

SHA256
639b68bd180b47d542dd001d03557ee2d5b3065c3c783143bc9fb548f3fd7713

SHA512
17f28a136b20b89e9c3a418b08fd8e6fcaac960872dc33b2481af2d872efc44228f420759c57724f5d953c7ba98f2283e2acc7dfe5a58cbf719c6480ec7a648b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso8D95.tmp

Filesize
11B

MD5
cda05fedfd1133dfc6439e441829b6ba

SHA1
e0dfbcfe83a13922d365506312212928871f9c0b

SHA256
27fad7aa07fb564d9f9e0cbaf6515fe34bb0f8647cd200fee1eaad0167523099

SHA512
1180a5fac7c9c8ce445b5966b45bda7d38bb65d2ae2b1bb096d01e09476622bb0bf745dfed3104cd7b5da766322653bb14720b3394e2cb87950191a66b94efaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso8DE4.tmp

Filesize
14B

MD5
67bb7ef976d4ce39058a22b6174a0e72

SHA1
9be7c1328a129dfa8fbda22b646e803ff262c5ef

SHA256
97e5daf6f20df9ce038a539d8bcf4d7b9efc1058102c9ce7ce1e6e169200672c

SHA512
12192b1718b77b437b383bca40335944b6bcaa772ccd398eb4b92a5b7882e3159a65470141fb98d7911f96bd97d46e93955302a9f5a19059ebcaa2c1a3f915e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8C97.tmp

Filesize
24B

MD5
42e9d16f22a223f11084f22b94b42210

SHA1
7f4dcba6193c831687f6a1cac9b60231be8a6a1a

SHA256
0717d3c2c8ad4b25752e43514cd4352de08c51bb9a8d153beb842dd421677b91

SHA512
a965c1381a0179e1bb1600fed3065741ebacc8c1e0a73db5d0db4eddbe5a45ec42cbd489a525d5c5151f52188daf367d0740e6555d9e41c1385a2fed4b7a6ec3

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8CE6.tmp\System.dll

Filesize
12KB

MD5
12b140583e3273ee1f65016becea58c4

SHA1
92df24d11797fefd2e1f8d29be9dfd67c56c1ada

SHA256
014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042

SHA512
49ffdfa1941361430b6acb3555fd3aa05e4120f28cbdf7ceaa2af5937d0b8cccd84471cf63f06f97cf203b4aa20f226bdad082e9421b8e6b62ab6e1e9fc1e68a

Download Submit